Emsisoft specialists together with ransomware expert Michael Gillespie (Michael Gillespie) released free decryptor for the STOP Trojan. The utility works with 148 malware variants and will decrypt files, blocked no later than August of this year.
STOP ransomware attacks
Although STOP is less known, than GandCrab, Dharma and other ransomware Trojans, it accounts for more than half of the detected attacks this year. Moreover, next rating participant, the above Dharma, lags behind him in this indicator by more than four times. Its diversity plays a significant role in the prevalence of STOP.: during the most active periods, experts discovered three to four new versions every day, each of which affected several thousand victims.
Currently, the family includes about 160 representatives, and the total number of affected users is approaching half a million. The bulk of attacks occur in countries in Europe and South America, India and Southeast Asia. The threat also affected the United States, Australia and South Africa. The ransomware avoids Russian users, checking the language settings of the affected system before starting work.
STOP victims most often receive it bundled with pirated and free software. The malware not only encrypts user files, but also installs malicious browser extensions, clickers and other unwanted programs. At first 2019 experts reported, that one of the versions of STOP distributes the Azorult Trojan, which can steal user information and deliver other malware to the computer.
How to decrypt data after a STOP attack
The published decryptor is not the first attempt to approach this encryptor. Previously, researchers discovered offline keys in the code, which the malware uses without connecting to the control server. This find in some cases helps to return files to their original form, however, over time, attackers changed the encryption mechanism. Experts have also developed a still-current decryptor for the Puma ransomware, which is part of the STOP family.
The development by Gillespie and Emsisoft specialists uses a characteristic feature in the operation of STOP - the malware creates an encryption key based on the first five bytes of the affected object. This allows experts to recreate the key, using the source file. Besides, For some files, the code starts from the same sections - for example, Microsoft Office documents are the same as ZIP archives. As a result, decoding one object allows you to work with other formats.
To use the decryptor, the user needs to train the program - upload the same document in encrypted and original form through the online interface. Such pairs need to be selected for each file format, that need to be restored. The utility trained in this way will then be able to decrypt all objects of the corresponding formats.
The creators of the decryptor specify, that their program is trained on objects weighing up to 150 KB. Experts recommend looking for such documents in email - attachments may be saved in letters, which the user also saved on the hard drive.
Upon completion of the training, a link to the decryptor will appear. The user needs to download and run it, accept the terms of the license agreement, and then specify the folders with blocked files. The creators of the utility emphasize, that decryption may take a long time, Moreover, during the entire process the program requires an Internet connection.
According to experts, decryptor can return data 70% victims STOP. Experts recommend that other users archive encrypted data and wait for new utilities to appear.,